The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a medium-severity security flaw, identified as CVE-2025-24054, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability affects Microsoft Windows and has been observed under active exploitation.
CVE-2025-24054 is a Windows New Technology LAN Manager (NTLM) hash disclosure spoofing vulnerability with a Common Vulnerability Scoring System (CVSS) score of 6.5. Microsoft addressed this issue in March 2025 as part of its Patch Tuesday updates.
NTLM, a legacy authentication protocol, was officially deprecated by Microsoft in favor of Kerberos. Despite its deprecation, NTLM remains a target for threat actors who exploit it through methods like pass-the-hash and relay attacks to extract NTLM hashes for subsequent malicious activities.
According to CISA, Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network. Microsoft’s March bulletin elaborated that the vulnerability could be triggered by minimal interaction with a specially crafted .library-ms file, such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file.
The flaw was discovered and reported by security researchers Rintaro Koike from NTT Security Holdings, 0x6rss, and j00sean. Initially, Microsoft assessed the exploitability of CVE-2025-24054 as Exploitation Less Likely. However, Check Point reported active exploitation of the vulnerability since March 19, 2025, enabling attackers to leak NTLM hashes or user passwords and infiltrate systems.
Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malicious spam emails to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.
This vulnerability is considered a variant of CVE-2024-43451, which was patched by Microsoft in November 2024 and has also been exploited in attacks targeting Ukraine and Colombia by threat actors like UAC-0194 and Blind Eagle.
The attack vector involves distributing ZIP archives that, when downloaded and extracted, cause Windows Explorer to initiate an SMB authentication request to a remote server, leaking the user’s NTLM hash without any user interaction. Subsequent phishing campaigns have delivered files named Info.doc.library-ms without compression, further facilitating the exploitation of this vulnerability.
Since the initial wave of attacks, at least ten campaigns have been observed with the goal of retrieving NTLM hashes from targeted victims. These attacks leverage malicious .library-ms files to collect NTLMv2 hashes, increasing the risk of lateral movement and privilege escalation within compromised networks.
The rapid exploitation of CVE-2025-24054 underscores the critical need for organizations to apply patches promptly and address NTLM vulnerabilities within their environments. The minimal user interaction required for the exploit to trigger and the ease with which attackers can gain access to NTLM hashes make it a significant threat, especially when such hashes can be used in pass-the-hash attacks.
Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes for this vulnerability by May 8, 2025, to secure their networks against potential exploitation.
